Multi-factor authentication (MFA) is picking up speed… FAST. Enterprises and users have rapidly been adopting multi-factor authentication thanks to its ability to provide security and peace of mind to all parties while also offering an unobtrusive user experience. 

To better understand how and why this is happening, just take a look at where multi-factor authentication sits relative to some other technologies in an enterprise’s tech stack. Ping Identity recently held a webinar called “MFA Everywhere” where my colleague, Andrew Goodman, used this slide to demonstrate how MFA plays the role of stepping up authentication while interoperating with an enterprise’s existing single sign-on (SSO) solutions and applications:

When you implement a modern-day MFA solution during digital transformations or cloud-first initiatives, you can protect a wide range of applications, making your organization and your users more productive and secure in the process.

But risks are involved. Considering a few significant challenges upfront will save you from hitting major obstacles down the road.

SSO Solutions Can Enable or Inhibit MFA Everywhere for Enterprises

A common approach to deploying MFA for an enterprise is to integrate the multi-factor authentication solution with the existing single sign-on solution. 

This is analogous to adding an even more secure lock to the front door of your house. You ensure that when users are accessing their centralized application dock that you’ve appropriately secured that login with stronger authentication. And once applications are integrated with the SSO solution and are set up in the dock for one-click access, you can also add in MFA at the application level to step up security as needed, which would be akin to placing locks on all the bedroom doors in your house as well.

The catch here is that the ease and extent to which you can “put MFA on everything” will be limited by the capabilities of your existing SSO systems, which leads to three main challenges.

Enterprise Challenge #1: The Proliferation of SaaS Apps 

Who is affected most? Enterprises with legacy SSO systems

At Ping Identity, we have worked with enterprises and solved identity challenges for well over a decade. One of the biggest technological shifts during this time has been the adoption of cloud computing. Innovations in cloud computing led to a new SaaS delivery model for software, which enterprises continue to invest in heavily.

Studies show that SaaS applications equate to nearly one quarter of an enterprise’s application portfolio today and that the velocity of SaaS adoption is quite high. This proliferation of SaaS applications in the enterprise has caused issues for some enterprises using older SSO systems that weren’t designed to handle the challenges of authenticating into SaaS applications. This trend gave birth to a variety of IDaaS vendors who set out to offer enterprises an IDaaS solution to authenticate into the SaaS apps in their application portfolios.

In this situation, an enterprise is left with two viable options. One is the shorter-term fix of deploying an MFA solution capable of being the gateway to those SaaS applications. (Longer-term, an enterprise would eventually look to incorporate those SaaS applications into their SSO systems, but sometimes specific circumstances dictate what’s possible to implement today.) The important part is to understand that doing this is step one of a two-step process, and to ensure MFA for SaaS apps doesn’t cause issues down the line for future decisions.

The second option is to adopt an SSO solution like an IDaaS capable of easily authenticating users into their SaaS applications with one centralized dock. This option is especially popular when an enterprise is undergoing cloud-first initiatives. Pursuing this option will ensure simple and secure multi-factor authentication to address the trend of enterprises continually adopting SaaS applications.

Enterprise Challenge #2: The Lingering of On-prem Apps 

Who is affected most? Enterprises with pure IDaaS systems

At first glance, it appears that IDaaS is the ideal solution for the cloud-first enterprise. While this can be true in certain situations, unfortunately those situations typically show themselves in smaller enterprises that are almost entirely consuming SaaS applications.

For large, complex or older enterprises that have significant investments in on-prem apps, cloud adoption is not something that just happens overnight. Operational challenges with switching software can trump IT’s cloud-first vision, and many homegrown, custom or off-the-shelf applications still don’t have a SaaS alternative that will work for the use cases of a specific enterprise.

Adopting a pure IDaaS solution to add MFA for SaaS apps solves the previously mentioned challenge, but creates another obstacle. At this point, the enterprise encounters challenges reaching back on-premises where the majority of the portfolio still lives.

Some IDaaS solutions allow you to integrate MFA with VPNs or other proxies to provide some level of security to the on-prem applications, but this is at the expense of application-level MFA to those on-prem apps. The end result is you’ve overcome one challenge—but created another.

Enterprise Challenge #3: Private Cloud Applications

Who is affected most? Cloud-first enterprises without SaaS options for necessary applications

Of course, IT infrastructure is not so simple today as to involve only on-prem applications and SaaS applications. Enterprise IT is investing heavily in cloud infrastructure as well, with many projects underway to move on-premises apps to cloud infrastructure so that there is no longer a need to manage physical hardware. This has added another infrastructure layer that needs to be considered when looking for MFA solutions.

Cloud-first enterprises today are adding cloud infrastructure either as an addition or replacement for on-premises infrastructure. Sometimes these networks are merged and there is minimal impact on SSO or MFA, but other times networks might be separate and certain cloud applications may or may not be made public-facing. If an application is public-facing and supports common identity standards, then integrating those applications with an MFA solution should be relatively painless. However, if applications are in the cloud but not public facing, enterprises run into the same challenges mentioned in the previous sections.

MFA for the Cloud-first Enterprise

During transition is when you are most vulnerable, and IT today is in a state of transition while moving from on-premises IT to cloud-based IT (in the form of adopting SaaS and cloud applications while also moving to cloud infrastructure). To mitigate the risks during this migration to cloud, modern MFA is an option being rapidly adopted by enterprises because of its seamless and secure nature. However, it’s important to consider your enterprise’s layout to understand what solutions can work enterprise-wide, rather than for only a portion of the application portfolio, so that you don’t leave your enterprise vulnerable during this crucial transition period.

Ping Identity is an expert in securely simplifying enterprise complexity, and in our experience, our zero-downtime-migration solutions are especially well suited for cloud-first enterprises that have a vision to move their enterprise to the cloud. This is done with MFA offered as a service that can be easily paired with SSO offered either as a service or deployed on-prem or in the cloud of your choice via a simple MFA adapter.

Planning ahead and understanding the trade-offs of different solutions can be an invaluable early-stage activity to pursue in order to avoid costly obstacles in the near future during enterprise cloud transitions. Multi-factor authentication can help improve an enterprise’s security posture, and the right MFA solution for your situation ensures overly complex workarounds down the road don’t overburden your IT department.

When you’re ready to assemble requirements for a solution, the MFA Buyer’s Guide can help you make the right decision for your enterprise.